[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] policy combine algorithm
hao chen schrieb: > Hi, > > If the effects of all rules of all policies are defined as "permit", > does setting rules' or policies' combine algorithm to deny-overrides > make any sense? I think this setting does not make any sense since > "deny" of a rule value or a policy-value will never occur. Is this > correct statement? In that case, permit-overrides, first-applicable and deny-overrides will all lead to the same result. The specification for deny-overrides is roughly: http://lists.oasis-open.org/archives/xacml-comment/200808/msg00024.html So in your case, the first two steps will not apply, but the remaining three are exactly what you want. If performance is important for you, you should choose permit-overrides, since that algorithm may leave some <Rule>s unevaluated. The deny-overrides algorithm on the other hand will (if it is not optimized) evaluate all the remaining rules to see whether one of them evaluates to Deny. If the PDP is an optimizing one, both algorithms should be equivalent. Roland
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]